SharePoint Online: Change User Permissions using PowerShell

Requirement:  Edit user permissions in SharePoint Online.

How to change user permissions in SharePoint Online Site?

You want to change the user’s permission on a particular site/library/item in SharePoint Online. For example, once a particular project has been completed, you no longer want the team member to add or edit the project’s supporting documents, but only view them! SharePoint provides a flexible way to manage user or group permission changes. Here is how to update user permissions in SharePoint Online.

  1. To edit site permissions for a user, Navigate to the SharePoint Online site where the user has access. Click on the Settings gear and then Site Settings.
  2. On the Site Settings page, click on the “Site Permissions” link under the Users and Permissions group.
  3. On the site permissions page, select the checkbox next to the user for which you want to edit permissions. Click on the “Edit User Permissions” button from the ribbon.
    edit user permissions sharepoint online
  4. Select-Unselect the relevant permissions checkboxes. In this case, you have to untick “Edit” and tick “Read”. Click OK to save your changes.
    sharepoint online change user permissions
SharePoint Online permissions will default to the highest level of security. E.g. If a user has both “Edit” and “Read” access, SharePoint considers “Edit”!

Please note that if the site or library is inheriting permissions from the parent, You may have to Stop Inheriting Permissions to provide unique permission to the item.

Edit user permissions in SharePoint Online using PowerShell:

Let’s script the above task of editing the user permissions. Remove “Edit” and add “Read” permission to the user at the site level.

#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
 
#Variables for Processing
$SiteURL = "https://crescent.sharepoint.com/Sites/marketing"
$UserAccount="i:0#.f|membership|Salaudeen@crescent.com"
$PermissionToRemove="Edit"
$PermissionToAdd="Read"

#Setup Credentials to connect
$Cred = Get-Credential
$Cred = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.UserName,$Cred.Password)

Try {
    #Setup the context
    $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
    $Ctx.Credentials = $Cred

    #Get all Users of the site
    $Users = $Ctx.Web.SiteUsers
    $Ctx.Load($Users)
    $Ctx.ExecuteQuery()
    
    #Get user accounts
    $UserAccounts =  $Users | Select -ExpandProperty LoginName

    #Check if the given user exists in the site
    If($UserAccounts -Contains $UserAccount)
    {
        #Get the User
        $User = $ctx.Web.SiteUsers.GetByLoginName($UserAccount)

        #Get Permission Levels to add and remove
        $RoleDefToAdd = $Ctx.web.RoleDefinitions.GetByName($PermissionToAdd)
        $RoleDefToRemove = $Ctx.web.RoleDefinitions.GetByName($PermissionToRemove)
        
        #Get the User's role assignment on the web
        $RoleAssignment = $Ctx.web.RoleAssignments.GetByPrincipal($User)
        
        #Add/remove permission levels to the role assignment
        $RoleAssignment.RoleDefinitionBindings.Add($RoleDefToAdd)
        $RoleAssignment.RoleDefinitionBindings.Remove($RoleDefToRemove)
        $RoleAssignment.Update()
        $Ctx.ExecuteQuery() 

        write-host  -f Green "User permissions updated Successfully!"
    }
    else
    {
        Write-host -f Yellow "User Doesn't exist in the site!"
    }
}
Catch {
    write-host -f Red "Error Updating User Permissions!" $_.Exception.Message
} 

PnP PowerShell to Change User Permissions on a List

Here is the PnP PowerShell to remove “Contribute” permissions and add “Read” permissions to a user in a list:

#Parameters
$SiteURL = "https://crescent.sharepoint.com/sites/Retail"
$ListName = "Invoices"
$UserID = "Steve@Crescent.com"
 
#Remove Contribution Role
Set-PnPListPermission -Identity $ListName -User $UserID -RemoveRole "Contribute"

#Grant Read Role
Set-PnPListPermission -Identity $ListName -User $UserID -AddRole "Read"

Ensure that you’ve set the $SiteURL, $ListName, and $UserID variables to reflect your SharePoint environment and the user for whom you wish to modify permissions.

Conclusion

In this article, we have explored various methods to change user permissions in SharePoint Online. Whether you prefer using the web interface, CSOM PowerShell, or PnP PowerShell, you can easily manage and update user permissions according to your requirements. The SharePoint web interface provides a user-friendly way to modify permissions through the site settings. PnP PowerShell, on the other hand, provides a set of cmdlets specifically designed for managing SharePoint, including permission-related tasks.

Whether you are a site owner, administrator, or developer, understanding how to change user permissions in SharePoint Online is crucial for maintaining a secure and well-managed collaboration environment.

To add or remove permission level to a SharePoint Online Group using PowerShell, use: Change permission level of SharePoint group with PowerShell

Salaudeen Rajack

Salaudeen Rajack - Information Technology Expert with Two-decades of hands-on experience, specializing in SharePoint, PowerShell, Microsoft 365, and related products. He has held various positions including SharePoint Architect, Administrator, Developer and consultant, has helped many organizations to implement and optimize SharePoint solutions. Known for his deep technical expertise, He's passionate about sharing the knowledge and insights to help others, through the real-world articles!

2 thoughts on “SharePoint Online: Change User Permissions using PowerShell

Leave a Reply

Your email address will not be published. Required fields are marked *